back to article Leatherbound analogue password manager: For the hipster who doesn't mind losing everything

News reaches us that will leave password management outfits quaking in their boots. The Conran Shop has a solution for forgetful users, and it is a snip at a mere £22. Users need to remember a bewildering array of passwords just to get through an average day, which can lead to some pretty shoddy practices as revealed in the …

  1. Timmy B

    Who on earth is going to spend £22 on that tat? The printing, stitching and leather are junk going from the pictures. I don't even care about the security implications when I'm so shocked at the quality.

    1. Lord Elpuss Silver badge

      I thought you were exaggerating. Then I clicked the link.

      It's absolutely hideous; I've seen better for 99c from Ali Express.

      1. Mage Silver badge

        Security features

        A £2 address book is a GOOD idea. Website/service, email, user, password etc.

        NEVER take it out of premises.

        Never EVER put in laptop bag.

        Do put in safe or with Will etc, in case you are knocked down crossing road, stroke, heart attack or assassinated.

        It's actually good security practice to have a secured hard copy of all security information. Maybe even a second off site secure location.

        Not though in your jacket, open plan office or laptop bag.

    2. Flywheel
      FAIL

      "Expertly designed and crafted by Fabriano"

      *sigh* It's artisanal Artisanal! The seemingly irregular nature of the stitching only serves to emphasise the handmade quality of the item. The faux-puerile nature of the blocked text lends an air of uniqueness to each and every item. John Bull would be proud!

      Apparently.

      1. Voland's right hand Silver badge

        Expertly designed and crafted by Fabriano"

        You clearly do not understand the effect of "designed label" on the people who have an inferiority complex for which they have to compensate by having the latest and greatest of everything.

        1. Wellyboot Silver badge

          fashion victims

          and where 'more expensive = must be better'

          1. Timmy B

            Re: fashion victims

            "where 'more expensive = must be better'"

            If that's the case I can make the best one. I actually do make things out of leather, including bags, pouches, book covers, etc. Anyone who wants one can order one from me. For really good quality leather I can do you one for £200. If you want one with traditionally tanned buckskin £350. Any takers?

            1. Chris G

              Re: fashion victims

              Traditionally tanned buckskin was softened by Indian maidens chewing the hides to soften them, can you guarantee that is the case with your product?

              Photos of said maidens chewing your buckskin or it hasn't happened.

              I make pretty good journal covers from leather to order, I can guarantee they haven't been chewed by me.

              Average price for hand stitched, oiled leather €50-€60.

              1. Timmy B

                Re: fashion victims

                "Traditionally tanned buckskin was softened by Indian maidens chewing the hides to soften them, can you guarantee that is the case with your product?"

                Sorry. You've listened to Hollywood and not read your history books. :) I do a variety, from bark to brain tan and various other processes that I'll not bore people with. All are hand or frame softened depending on animal and hide thickness / quality.

                I was having a giggle with the price and you quote is far better but I do tend to carve patterns into mine and that will inflate the price, of course. And one done in my buckskin with actual sinew stitching is going to clear £100.

                1. Giovani Tapini
                  Coffee/keyboard

                  Re: fashion victims

                  @Timmy B

                  Ooh, does that mean you process the leather with real wee? !

              2. This post has been deleted by its author

            2. Andy Non Silver badge

              Re: fashion victims

              @Timmy B

              I'll take one. It must be better than the post-it note on my computer with my TSB online banking username of Imawally and password of qwerty-123456. You might as well take the money out of my account by direct bank transfer, I haven't got time to do it myself, too busy giving a security seminar this afternoon.

          2. Gritzwally Philbin
            Meh

            Re: fashion victims

            Oh hell.. well that's it for me and my 2 dollar spiral bound blank-page notebook I bought in 1998. 20 years on and it's not been nicked, copied or dropped in the toilet (my God, who pulls out their password book on the toilet? Unnatural, that is..)

            The biggest drawback is that over the years I've pulled pages to make shopping lists with and the poor notebook is running out of room.. Though I DO still have my AudioGalaxy password and username jotted down. The thing that makes you think the most however, are the number of old e-mail addresses and contacts with folks I knew that have died over the years. Hmm.

          3. Anonymous Coward
            Anonymous Coward

            Re: fashion victims

            'more expensive = must be better'

            £22! pah, that's nothing. My secure analogue password recorder cost best part of £1000.

            I write down my passwords on the lid of my laptop with a Sharpie.

            What the long term cost will be is a known unknown... I think

      2. Gene Cash Silver badge

        Deckeled

        Speaking of "Artisanal"... I learned a new word recently: "deckel" which means "we couldn't be bothered to finish the book and cut the paper properly"

        I ordered a book, and I thought I'd gotten a screwed up copy, because none of the pages were cut square. I went back to Amazon and found out I had the "fancy" deckled copy and I'd paid extra for this "privilege" and so I gave it a 1-star review for this wonderful feature.

        It made reading the book a nightmare, because it was REALLY difficult to turn the individual pages.

        1. Timmy B

          Re: Deckeled

          That's from deckle cut. It's the phrase used for uncut paper straight from the paper making frame - known as a deckle. You may get charged more because the paper was likely made by hand and not machine.

    3. Enric Martinez

      That's actually the key point mate!

      It's so shoddy that a the last thing a thief may thing is that you keep important information in there.

      Clever he?

  2. Anonymous Coward Silver badge
    Thumb Up

    This is actually a good thing.

    It makes the low-hanging fruit that bit lower, which makes things safer for those of us who aren't so intellectually challenged.

    It's basically a big sign saying both 'here are my passwords' and 'I've got too much money' (why else spend so much money on a notepad?)

    1. stiine Silver badge
      Thumb Down

      wrong, yet again.

      This is only true if NONE OF THEM use the same services as you, which is unlikely.

      1. Anonymous Coward
        Anonymous Coward

        Re: wrong, yet again.

        If "they" lose their account access to miscreants, how is that a problem for me using the same service? To the service the miscreant will look like a kosher user with the same privileges as the rest of the users.

    2. caffeine addict

      Companies should give them out to their users. Anyone found to have used it for the intended purposes just fired from a canon.

      Similar (ish) recent job I had here.

      PM : The website for users to access HR. Add a button to print the page.

      Me : But... why? The browser does that.

      PM : Not all users will know that.

      Me : Okay. So what about if I make it so that everyone who presses that button has their contact details forwarded to HR for not being able to use a web browser?

      PM : No.

      1. Ken Hagan Gold badge
        Headmaster

        "Anyone found to have used it for the intended purposes just fired from a canon."

        Pachelbel's?

  3. W60

    The fact there is not even a lock on it to give any attempt of security

    1. Mage Silver badge

      Re: Lock

      Only diaries with glitter, ponies or fairies on the cover, usually pink, have locks.

      Easily operated by the spam tin key for convenience of mother or brother.

  4. Warm Braw

    User-generated obfuscation

    Invisible ink?

    1. Shadow Systems

      Re: User-generated obfuscation

      There is an easy form of exactly that, as long as you can remember the order of certain glyphs.

      Imagine a 3x3 grid like a tic tac toe board. In the upper left corner you place a single dot in the corner. In the top center you place a dot in the middle of the space. In the top right you place a dot in the corner. In the center left square you place a dot in the middle; in the center square the dot goes in the center; in the center right square the dot goes in the middle. In the lower left square the dot goes in the corner, in the bottom middle square the dot goes in the middle, & in the bottom right the dot goes in the corner. Now consider each square one letter of the alphabet, in this case A to I. Repeat the tic tac toe board with squiggles, x's, or even smiley faces until you have enough for all 26 letters & 10 numbers. Now you just have to remember in which order you created each grid (I suggest using 1 dot for the first, 2 for the second, 3 for the third & so on), that way you can simply look at which direction the square faces, at what doodle is inside the square, & do the mental math to figure out what letter/number it represents. You've just created a cypher that very few folks will be able to decode easily (if at all), much less on the fly from memory.

      You can use that method to write passwords, using a line over the glyph to mean an uppercase letter or to multiply the digit by some value of ten (although Roman Numerals are a greater PITA than just writing out the numbers themselves).

      My friends & I used to do this all the time back in school. We'd leave each other notes, leave single glyphs to confuse folks on sticky notes stuck to things, & generally have fun throwing folks for a loop.

      I challenged one to write his English homework in code, he retaliated by daring me to write an entire book report the same way. I refused only because my teacher had no sense of humour, but I made up for it by writing a story that way instead. He laughed his ass off when he saw the 50 pages of single spaced, college ruled binder paper covered in hieroglyphics. =-)p

      I kept a pocket flip cover notepad in my pocket for years, a tiny pencil in the spine, so I could take notes when an idea struck me. Putting them into code was a good way to make sure my parents didn't know what trouble I was getting into. (Had they been able to decode it, they would have grounded me so fast it would have made my head spin!) So do something along those same lines to keep your own notes, including passwords. The chances that some random stranger finding the pad & being able to read it are low, & knowing what's written there belongs to *you* is almost nonexistent. (Unless you have a mailing address label for yourself stuck inside the cover so they know where to return it, but that's another story.) =-)

      1. Woza
        Headmaster

        Re: User-generated obfuscation

        There's another way to use a 3x3 grid - Iain M. Banks' Marain (http://trevor-hopkins.com/banks/a-few-notes-on-marain.html).

        But I'm confused by "You've just created a cypher that very few folks will be able to decode easily (if at all)" - isn't that just a substitution cipher? While strong passwords should render frequency analysis unprofitable, relying on that to keep secrets written in your native language seems potentially risky, depending on the audience. Or am I missing something?

        1. Giovani Tapini
          Black Helicopters

          Re: User-generated obfuscation

          Isnt it call the Mason's Cypher - or have I said too much about the poster already?

      2. Andrew Newstead

        Re: User-generated obfuscation

        That's the pig pen cypher, originally used as a Masonic code.

    2. sawatts

      Re: User-generated obfuscation

      Nah just try to read my handwriting...

      1. Jason Hindle

        Re: User-generated obfuscation

        Meh - just encode everything ROT26.

        1. DropBear

          Re: User-generated obfuscation

          "just encode everything ROT26."

          Well known to be no longer secure. If you must keep using it, at least stick to triple-ROT26...

      2. Chris King
        Trollface

        Re: User-generated obfuscation

        "Nah just try to read my handwriting..."

        My careers teacher suggested I should be a doctor.

        "King, your handwriting is so bad, it deserves to poison someone !"

      3. Wensleydale Cheese

        Re: User-generated obfuscation

        "Nah just try to read my handwriting..."

        Might not work if your other half is a pharmacist.

    3. Hans Neeson-Bumpsadese Silver badge

      Re: User-generated obfuscation

      My dear old mum worked for years as a secretary, and so was proficient in shorthand. At home she used that any time she wanted to write anything down that she didn't want my Dad or I to be able to read.

    4. itzman

      Re: User-generated obfuscation

      I often use unshared secrets.

      Items of trivia from my past that no one will ever discover, like the number plate of a friends car in 1967...

      Writing down "Tims Ford Prefect" isn't giving a whole lot away.

      1. Allan George Dyer
        Facepalm

        Re: User-generated obfuscation

        'Writing down "Tims Ford Prefect" isn't giving a whole lot away.'

        Until Tim posts a photo of the car on Facebook with the caption, "Remember the fun we had, itzman?"

  5. Wellyboot Silver badge

    Name > website / Phone No. > password

    So it's just an old personal phone book with the column headings changed.

    For security, leave it at home.

    1. Captain Scarlet Silver badge

      Re: Name > website / Phone No. > password

      Yeah I recommend using a standard A5 paper book to anyone I think will be confused by a password manager.

      I recommend remember your email and bank passwords and put anything else in the book (As a password can easily be reset if you can access your email account)

      Try to keep it in alphabetical order and use one page per site.

      Stating the book is for passwords is a bit silly, if its in the home in a draw hopefully it will be missed if burgled.

      1. stiine Silver badge

        Re: Name > website / Phone No. > password

        Or better yet, be in a safe.

        1. Flocke Kroes Silver badge

          Re: Or better yet, be in a safe

          You put strange things in a safe. I would go with a 3D printed handgone with some ammunition, a dozen little transparent plastic bags of rat poison, PFY's cattle prod with conductive handle and trigger and a home-burned DVD of the Eurovision song contest.

        2. Anonymous Coward
          Anonymous Coward

          Re: Name > website / Phone No. > password

          Or better yet, be in a safe.

          Don't forget to write the combination down in the book first before you put it in the safe - just in case you forget!

      2. fruitoftheloon
        Happy

        Captain Scarlet: Re: Name > website / Phone No. > password

        CS,

        could you recommend a pwd manager for Mac OS please?

        Cheers,

        Jay

        1. Captain Scarlet Silver badge

          Re: Captain Scarlet: Name > website / Phone No. > password

          Not being a Mac user I'm not sure. KeePass has an unofficial port but I don't know how well that works. Any MacOSX users want to recommend?

          A safe to store the book in I'm not 100% sure on, if someone breaks into the safe I think they would take everything in it including the book.

          Have a thumbs up for the draw comment, yes I meant drawer.

          1. fruitoftheloon
            Happy

            Re: Captain Scarlet: Name > website / Phone No. > password

            CS,

            ta!

            Regards,

            Jay

        2. JLV

          >pwd manager for Mac OS

          1Password is OK.

          Likes:

          - it works

          - fairly comprehensive and seems serious about providing a good product. they've been caught out in some of the password manager audits, like others, but they patched promptly.

          - you don't HAVE to store stuff in the cloud. if not, no syncing, but that's ok

          - you don't have to use browser integration and you can keep it closed most of the time.

          - multiplatform.

          Dislikes:

          - data file is stored in/mediated by macos Keychain. That's probably an overall positive, but worries me about what would happen if the mac dies and Time Machine doesn't save the day. I'd rather export it encrypted somewhere, only needing the app and the master password to restore. Now, IIRC, I did manage to find the file somewhere and do just that, but it's not well documented and needlessly obfuscated and complex to do so.

          1. Wensleydale Cheese

            Re: >pwd manager for Mac OS

            "1Password is OK."

            "- you don't HAVE to store stuff in the cloud. if not, no syncing, but that's ok"

            You can sync without the cloud but it's a bit fiddly.

            In the Likes section I'll add that it has a record type of Software Licence. I've got all mine stashed in 1Password, nicely in one place.

        3. katrinab Silver badge

          Re: Captain Scarlet: Name > website / Phone No. > password

          The built-in keychain works well, and syncs with your iDevices.

        4. davemcwish

          Re: Captain Scarlet: Name > website / Phone No. > password

          @fruitoftheloon

          LassPass works fine for me, either browser plugin or the app, syncing automatically with my iPhone and Win 10 PC.

      3. RFC822

        Re: Name > website / Phone No. > password

        ... in a draw....

        Why would you put it in a lottery?

      4. Anonymous Coward
        Anonymous Coward

        Re: Name > website / Phone No. > password

        But will an A5 paper book be compatible with passwords?

    2. Frank Bitterlich

      Re: Name > website / Phone No. > password

      Look closely... they din't even change the column headings. The righthand column still has telephone symbols in the heading.

      I suspect this started as a practical joke in the marketing department, until some sales dude put it onto their website. Then the orders started pouring in, and there was no way back...

    3. DuchessofDukeStreet

      Re: Name > website / Phone No. > password

      If it's going to be useful it needs to be kept where it's going to be used - ie next to the computer, and readily accessible.

      For those of you old enough to remember, was the Phone Book ever kept anywhere other than by the phone? (For the rest of you, this means back in the days when a home had a single land line with a handset usually in the hall, and the search engine of local phone numbers delivered in two thick softcover books delivered to your front door every twelve months. National and international (!) numbers had to be requested from the operator).

  6. Anonymous Coward
    Anonymous Coward

    Post-it notes and not those expensive ones, the ones you get at the pound shop. Perfect and they solve that other age old IT problem of having to keep giving everyone your password every time you change it. It's literally right there.

    1. AMBxx Silver badge

      Who needs Post-it notes? Just do what the NHS does - force users to change password every 3 months so they pick a simple password and stick the month number on the end. Password1 is accepted to make it extra easy to hack an NHS email account.

      1. John 110

        Just do what the NHS does...

        You fool!! Now everyone knows!!! I'll have to start putting a 2 on the end now!!!! (or some more exclamation marks!!!!!)

        1. Anonymous Coward
          Anonymous Coward

          Re: Just do what the NHS does...

          Never mind that here medical personnel doesn't even bother any more to ask "it's the birth year, right?" for health cards - it is, for everyone, and everyone knows it. Yes, really.

          1. Tim 11

            Re: Just do what the NHS does...

            Here's another NHS secret: Want to break into any nursing home? the door code is 1066.

            OTOH - Don't want to break into a nursing home? hmm yes I can see that :-)

            1. Ken Moorhouse Silver badge

              Re: the door code is 1066.

              You might want to avoid NHS properties where the door code is 1665.

  7. Dave Bell

    What can you trust?

    I would trust a notebook, kept in a secure place, as my back-up to any of the fancy, computerised, alternatives. It's not as convenient for daily use, but it can work as part of a system. Some of the risks for me are different from those of a busy office. Different risks mean different answers.

    Recent experience makes me wary of password managers. They're software. Software goes wrong. What then?

    When did you last test a back-up?

    1. stiine Silver badge
      Happy

      Re: What can you trust?

      I restored from a backup in June, successfully, I might add.

    2. AMBxx Silver badge
      Facepalm

      Re: What can you trust?

      I trusted the solicitor when I last updated my will. Side letter with all the usernames, passwords and account details of all our financial stuff. To be given to my wife should I die.

      The solicitor very helpfully photocopied it and sent a copy in the post.

      1. Aladdin Sane

        Re: What can you trust?

        Did it include all the usernames and passwords that should not be given to your wife?

    3. Baldrickk

      Re: When did you last test a back-up?

      I ran a (someone else's) script on Friday and wiped out a decently large amount of one of our network drives.

      The backup is being restored today (no snapshots on that drive, so Thursday's tape had to be acquired.

  8. Dan 55 Silver badge

    I do like the cover title

    Very discreet. Will certainly deter anyone who's prying.

    1. Anonymous Coward
      Anonymous Coward

      Re: I do like the cover title

      Like the waste bin in our office conveniently labelled "Confidential".

      Well, it was until some wise guy with a pair of scissors discovered that confidential is an anagram of "I can fondle it". At least it's more secure now.

  9. Dave 126 Silver badge

    Telememo watches

    Casio still sell a range of inexpensive, reliable watches in a range of styles with a Telememo function. It's a bit fiddly to enter alphanumeric info into them though. A watch is harder to lose than a notebook. You can store a password and don't have to note which account it is for. If you lose your watch it can't necessarily be linked to you by a bad guy. Of course if you do lose your watch it'd be a good idea to have your passwords written down at home stored on waterproof paper in a half eaten jar of mayonnaise at the back of the fridge (or hiding place of your choice)

    1. hplasm
      Happy

      Re: Telememo watches

      "...on waterproof paper in a half eaten jar of mayonnaise at the back of the fridge.."

      Sadly vulnerable to the EWW Police.

    2. Baldrickk

      Re: Telememo watches

      And yet I've lost more watches than notebooks.

      In face I don't think I have ever lost a notebook, but I've lost at least 5 watches...

      I take them off, I don't like wearing them. Notebooks are bulky enough to be in a bag or something.

  10. Anonymous Coward
    Anonymous Coward

    I've got a better solution...

    We keep all our passwords at home in a book, but it's labelled as "NOT password book".

    What could possibly go wrong with that?

    (and I'm not joking, we really do have that. It's really just for not so important stuff, and you'd have to break into our house to get it. But I'll post this as AC anyway, just in case)

    1. Mike 125

      Re: I've got a better solution...

      >>but it's labelled... we really do have that...

      I was about 9 when I stopped labelling books. Was I a prodigy?

      1. Dave 126 Silver badge

        Re: I've got a better solution...

        Labelling books, folders and toolboxes is fair enough since you can't see the contents without opening them... it's the labelling of jars 'Kitchen Utensils' (with spatulas and whisks poking out the top) that I don't understand.

        1. David Nash Silver badge

          Re: I've got a better solution...

          Labelled kitchen jars...it's so you know what they are for when you buy them.

        2. DropBear

          Re: I've got a better solution...

          "it's the labelling of jars 'Kitchen Utensils' (with spatulas and whisks poking out the top) that I don't understand."

          I know many of us around here are supposedly "on the spectrum" and have varying amount of trouble dealing with subtext, but come on - that's basically textbook. There are eleventy billion reasons to label something beyond the basic intent to convey apparently redundant information, of which "I told you a hundred times to put it back right here after you used it you bastard!" or "No, you can't use this jar to clean your carb jets keep your pickles in even if you see it empty!" or "Guess what yes I have OCD, do you have a problem with that?" are merely some of the simpler and more benevolent ones...

        3. Dan 55 Silver badge
          Coat

          Re: I've got a better solution...

          it's the labelling of jars 'Kitchen Utensils' (with spatulas and whisks poking out the top) that I don't understand.

          To the Bat Kitchen!

          Mine's the black cape.

        4. Wensleydale Cheese

          Re: I've got a better solution...

          "it's the labelling of jars 'Kitchen Utensils' (with spatulas and whisks poking out the top) that I don't understand."

          My kitchen utensils are in a jar intended to store spaghetti.

          I leave my spaghetti in its wrapper in a cupboard, protected from the smoke from burnt toast, smoky grills, flies etc.

        5. Schultz

          "it's the labelling of jars 'Kitchen Utensils' (...) that I don't understand."

          That's to remind the users to Put It Back Where It Belongs after use. Nifty, isn't it?

      2. Teiwaz

        Re: I've got a better solution...

        I was about 9 when I stopped labelling books. Was I a prodigy?

        Earlier - not by choice - the school insisted all pupils books have a cover - the really really horrible wallpaper I had to use wouldn't take even a permanent marker and any taped labels slid off within a day leaving a slimey sticky patch.

    2. fruitoftheloon
      Thumb Up

      @AC: Re: I've got a better solution...

      AC,

      yup, same here, except for my primary email and e-banking etc..

      Jay

  11. Pen-y-gors

    How to waste bad people's time.+

    Obviously the big danger is losing it. Which is why I keep mine on a few sheets of A4 and take a photocopy from time to time.

    But would you really write your passwords in plain? Surely anyone with half a brain would obfuscate them? Add three random characters in the middle or something? There will then be a lot of frustrated bad people trying and failing to login to your a/c with your p/w

    1. Lord Elpuss Silver badge

      Re: How to waste bad people's time.+

      Or just have one of these books filled with garbage, and keep your real passwords somewhere else. Should waste a few hours of thief/cybervillain/state actor time before they realise...

      I used to carry around a MicroSD with all kinds of dodgy files on it (a folder called Project Reticle, a spreadsheet full of random 5-letter groups, an astrophysics PDF with certain letters in the article strategically highlighted, and so on) - just to waste the time of any agent that might stop and search me.

      Until somebody reminded me that if they DID stop me, and found said MicroSD, there was a distinct probability that they would lock me up until I told them what it all meant. Which would likely be an extremely long time given that it was garbage.

      So I left it taped to the side of a coffee cup in Starbucks. Still wonder from time to time what became of it and if it ever ended up being 'investigated'.

      1. Mike 16

        Re: How to waste bad people's time.+

        I'll just leave this here:

        http://www.milk.com/wall-o-shame/security_clearance.html

        Title:

        What Not To Write On Your Security Clearance Form

        A little tale of how a childhood fascination with cryptography led to later life infelicities.

        Of course, only criminals and people who have access to U.S. nuclear launch codes imagine the FBI to be "bad people", right?

  12. James 51
    Big Brother

    Of course what you do is have a little deamon running in the background looking for login attempts against the usernames in your book. Then you know someone is after you.

  13. HPCJohn

    Passwords are outdated

    I think this really flags up that passwords are an outdated concept. Mock as much as you like abotu writing passwords down, but why in the 21st Century are we relying on a series of characters pressed out on what is quaintly known as a 'keyboard'.

    I don't have the solution myself, however I rather do like Microsoft Hello and facial recognition.

    I realise there will be many responses saying 'this is not secure enough'

    For centuries, people have placed great store in physical keys. You can still see keys for ancient castle doors for instance, so we have a cultural appreciation of keys.

    I really dont see why more companies dont use smartcards for authentication. You normally have a smartcard on a lanyard, and this is used to open doors within the building.

    OK, for the home user and e-commerce sites you wont have a company smartcard. But increasingly we see two factor authentication using a one-time code sent to a mobile phone.

    1. doublelayer Silver badge

      Re: Passwords are outdated

      This does not work. Here are the problems:

      Facial recognition: Systems can be fooled by photos in some cases. Models can be created from video footage and sent to the systems. If compromised, the user can't change their face.

      Smart cards: Relatively expensive. Must be written by extra hardware, so a copy of data on the card is usually available. No reader for most cases where they are needed.

      More clearly, keys are considered useful because they have what passwords have. They're hard to just guess in most cases, so they act as a delay. They won't keep someone out forever if they are determined, but they make it hard to just open the door. When there is a problem with them, they get changed. Keys and passwords can be hidden. Faces can't, and smart cards can only if every system they get used on are trusted.

    2. I ain't Spartacus Gold badge

      Re: Passwords are outdated

      Apart from all the problems mentioned, it's silly to call a system (i.e. passwords) outdated, when you don't know what their replacement should be.

      Now if you'd said passwords are a rubbish idea, almost everyone would agree with you. It's just that most of the other ways of doing this are rubbish as well.

      I suspect there may never be a killer solution that is cheap enough to use in all circumstances, while also being very secure (total security being a mythical concept). So we'll end up picking the best of various dodgy compromises, depending on circumstances and budget.

  14. tiggity Silver badge

    Gorge yourself to huge obese blob proportions.

    Lose the gained weight.

    You now have lots of folds of excess skin.

    tattoo your passwords there (on skin "folds" underside so casual thief will not notice)

    Bar life threatening injury / severe skin disfiguring illness, your credentials are safe

    CBA with joke icon

    1. Anonymous Coward
      Anonymous Coward

      That's all fine until somebody watches you doing a handstand.

      1. DropBear
        Trollface

        Well sure, but they'd be left to wonder why their freshly stolen "wow" passcode doesn't work, when they read off the true "mom" one upside down...

  15. Alan J. Wylie

    As recommended by Bruce Schneier

    Write Down Your Password

    Well - it was a long time ago.

  16. theExecutive

    First Pet, and Mother Maiden Name

    Yep im looking to the future, where all passwords can be easily remembered by their password hints, will save acres of paper and plasti binding.

    Just a flip card should do, 50p. Usually i get people to tell me these things anyway, as passwords are so complicated, it comes down to....... Fluffy , Armstrong :)

    1. Giovani Tapini
      Devil

      Re: First Pet, and Mother Maiden Name

      All easily available from you (or partner/friend) facebook timeline...

      next please

  17. vonBureck
    Joke

    Missed a trick

    The cover title should be SDROWSSAP, so the servants can't understand it...

    1. DropBear
      Trollface

      Re: Missed a trick

      Luxury binding, with title on the spine in exquisite calligraphy: "Theof Houseman - Bookword pass"

  18. M. B.

    It's kinda funny, because my parents, now into their 70's, were worried about their online security (a good thing) after hearing that they shouldn't write all their passwords down on a piece of paper from a number of news articles.

    Except that piece of paper is in their house, in their basement, in their office area, in a drawer near their iMac. Literally no one other then them or I will ever look in that drawer and see that piece of paper, and they never have to worry about forgetting a password. But the media sure did a good job of scaring them into thinking they were doing something wrong, even though their attack footprint was impossibly tiny.

    Anyways, only mentioning this because it inconveniences me, and that's the worst inconvenience of all.

    1. Wensleydale Cheese
      Unhappy

      "Except that piece of paper is in their house, in their basement, in their office area, in a drawer near their iMac. Literally no one other then them or I will ever look in that drawer and see that piece of paper, and they never have to worry about forgetting a password. "

      I once attended a Neighbourhood Watch event where a policemen gave tips on securing your home.

      One thing he mentioned was that thieves would look in the right hand* drawer of desks because this is where people would put things like spare car keys, burglar alarm codes and so on.

      I got home and investigated my own right hand drawer, and was surprised how much stuff like that I had there.

      * presumably that would be left hand drawer for left handed folks

      1. katrinab Silver badge

        I’m right handed, but would put stuff in the left hand drawer, as I use the left hand to open the draw and the more dexterous right hand to move things in and out.

  19. Tony W

    Forgetting password is very rarely a disaster

    If you are really you, there is usually a way to get it back, so long as the organisation has a working email address for you on record.

    But someone else getting your password can be very nasty.

    Therefore it is more important to keep your password from others than it is to make sure you can always find it yourself.

    The real problem comes when your descendants try to deal with your account. But people who think logically don't worry about that.

    (As I have recently found, for sensitive sites your registered address should match your "From" address. One that you use only for receiving can cause people to be suspicious when you reply from a different one.)

  20. Robert Carnegie Silver badge

    It's small enough

    Roughly the area of a credit card. So you can store it somewhere very, very safe.

    Just as long as no one watches you getting it out.

  21. David Pearce

    At least it encourages people to use different passwords for each site.

    It's probably more secure than trusting a browser to remember the credentials.

    I am not a big fan for password recovery by email. Gmails near monopoly means that they have an easy opportunity to snoop.

    1. doublelayer Silver badge

      I see your point, but any good system will send you a link that you have to click on, and then you reset your password from there. Short of jumping in ahead of you, which would be a bit obvious, they can't know your password. Of course, they can take some good guesses if they have an evil turn of mind.

      1. Baldrickk

        And those links should be one-time use only. So if you request a reset and it doesn't work, you know there might be something going on there.

  22. Dr Dan Holdsworth
    Pirate

    What a wonderful idea!

    A notebook like this is a very, very good idea indeed, as long as it doesn't contain anything save decoy usernames and passwords for honeypot machines. You could even acquire several different notebooks, leave them in different places and note which honeypot accounts get hit, and when, then cross-reference this with where various visitors and dodgy members of staff have been seen lurking lately.

    1. Allan George Dyer
      Go

      Re: What a wonderful idea!

      As a special service, for a mere $2222, I'm offering an Artisnal service to fill a genuine Fabriano Login & password index notebook with decoy usernames and passwords. Each entry will have a password lovingly crafted using one of over 30 password generation and obfuscation schemes recommended in these esteemed comments.

  23. JJKing
    Happy

    "There's a sucker born every minute."

    Who on earth is going to spend £22 on that tat?

    B. T. Barnum can answer that question for you.

  24. Stevie

    Bah!

    I've carried a written record of all my passwords in an address book tucked into my Moleskine diary's pocket for years.

    Good luck using it if you aren't me.

    They are encoded. As in not-a-cypher, "the matador shall dance with the blind shoemaker" style code.

    1. Ken Moorhouse Silver badge

      Re: Moleskin

      This should give purchasers some insight as to the security of the product.

  25. Anonymous Coward
    Headmaster

    Too right is down is good practice

    and is recommended, the electronic alternative would be a passworded pocket organiser of old.

    but as theReg says it isn't affected by malware just local mal-actors.

  26. Anonymous Coward
    Anonymous Coward

    When it comes to secret questions to confirm ID

    Write the question as a looooong string of alfanumerics nothing more, then the answer anything you want but best as more alfanumerics.

    Write these down as you will never remember them so you will always have to have your book to access things. This stops you giving the game away even if you wanted to.

    So now since your back up questions are harder that you password and all are written down.

    nobody is likely to steal your info.

    keep a copy of the book in your safe or something.

  27. Shaha Alam

    if people are resorting to writing their passwords down, we need to rethink security to accommodate those people who can't remember a minimum of 8 characters and maximum of 16 with at least one capital, one number and one special character, but not that special character or that one, and cant contain an obvious word and must not be a repeat of any of your last 10 passwords, nor can it be a previous password with an obvious sequence number attached to it, or fuck it i dont need a bank account anyway i'll just store my life savings under my mattress instead of having to deal with this existential hell every time.

  28. Pat Harkin

    It's easy to improve security by using this...

    ....just fill it with wrong usernames and passwords, and use a password vault.

    Many moons ago (1975? 1976?) Nat West issued me with an ATM card. It could only withdraw £10, was always retained by the machine to be returned in the post and was protected by a SIX digit PIN.

    I wrote an incorrect PIN on it in pencil, just to be evil.

    About once every 3 months I'd get a letter from the bank advising me having my PIN on the card was bad practice - but I couldn't tell them it wasn't my pin, because that would up their chances of guessing to 3 in 999,999! We're both less paranoid these days - I don't write PINs on cards and banks reckon 4 digitis in enough.

    1. Wensleydale Cheese

      Re: It's easy to improve security by using this...

      "I wrote an incorrect PIN on it in pencil, just to be evil."

      I used to know a chap who worked in a bank and one of his duties was taking the phone calls where holidaymakers had had their cards swallowed by ATMs.

      His comment was that when the cards made their way back to HQ, it was surprising how many had the PIN written on the card itself.

      1. Anonymous Coward
        Holmes

        Re: It's easy to improve security by using this...

        I have on a couple of occasions kept the scratch off pin from the letter in my wallet for a while, with the intention of changing the pin the first time I use a new card, which I forget for a long time if it was a credit card ( ie: a card I won't use in an ATM ).

        I wonder how many people have done that and had their wallets stolen and credit cards raided.

      2. Robert Carnegie Silver badge

        Re: It's easy to improve security by using this...

        I found it pretty hard to decide what to write on my replacement bank card as a reminder to self not to use the old PIN. The catch being that this could look like a disguised way to write down the new PIN, making the card more attractive to steal.

        I decided in the end on - "Remember they gave you a new PIN number so don't use the old one", in capitals.

  29. Version 1.0 Silver badge

    Just secure the written passwords

    It's easy to do - if the password written in the book is "mybad.cat" then when you log in you type the full password ... it's "mybadfu*kingcat" with or without the sanitation.

  30. Anonymous Coward
    Anonymous Coward

    Does anyone remember the game called Hangman?

    ....helped along by a pinch of repetition.

    *

    Notebook entry: E _ _ _ _ _ _ _ _ R N _ _ _ _ D

    Musical user's password: ELGARELGARNIMROD

    *

    Seems pretty secure against a notebook stolen by a random bad guy....especially if the user uses non alpha characters in some patterned manner:

    Notebook entry: E _ _ _ _ _ _ _ _ _ R N _ _ _ _ D

    Musical user's password: ELGAR-ELGARNIMROD

    *

    Notebook entry: M _ _ _ _ _ _ _ _ _ _ _ _ _ _ _L W _ _ _ _ _ _ S

    Racing fan's password: MANSELL92MANSELLWILLIAMS

    *

    Can this scheme be broken quickly by a random bad actor?

  31. blueops

    Out of Stock

    The biggest concern for me is this is our of stock! Can almost guarantee there are a number of people now walking about with all their passwords in their bag!

  32. LowTechSecure

    Passwords on Paper with Digital Backup

    Forget the fancy notebook. Go for a ratty looking loose leaf binder with no label so that it will blend in. Passwords on single sheets in binder. As a back up scan the sheets as images (no text to be searched) and then combine into a single PDF doc. Give it a nondescript title and store it in a dull sounding folder - in more than one folder just for sure. Then there is the off site backup that you should already be doing.

    Now you've got the best of both worlds.

    I've never heard of a notebook falling into a toilet but I know of several smart phones that have demonstrated that capability.

  33. Arachnoid

    P4ssw0RdZ

    The problem is not so much remembering several passwords but in our I.T. fad culture, hundreds of passwords many of which require uppercase,lowercase, number etc or frequent changes for no apparent logical reason . Whilst its not an ideal 100% fool proof solution 2FA using a mobile app generated or recieved code is a way forward , as long as its not just a front to make a system "seem" more secure with a back door via a poorly constructed password. Even the U.S. Presidents Football uses a damn antiquated card code generator which was lost by one president [allegedly]

    Talking of security its amazing how many Banking institutions etc require various ways of the user identifying themself over the phone but have no "Handshake" themselves to verify that they are genuine.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon